Many companies continue to struggle to secure their data and identify and address system vulnerabilities. But chief information security officers (CISOs) are finding the best way to defend against hackers might be to hire a hacker of their own.
However, that expertise and security assurance comes at a hefty price, according to Matt Comyns, global co-head of search firm Russell Reynolds Associates’ cybersecurity practice in this recent article. CISOs themselves can command between $500,000 and $700,000 a year, with compensation at some technology companies reaching as high as $2 million, with generous equity grants included, Comyns says. In comparison, CISOs who have been with a company for five or more years are on average receiving $200,000 to $300,000 per year, Comyns said.
Hackers for Hire
“If you’re a CISO and you’re looking to build a great security team, one of the best places to start is with a white-hat hacker, or a certified ethical hacker,” says Ryan Lee, COO of online IT skills training firm CBT Nuggets.
“Of course, some companies shy away because these folks are expensive, but without an emphasis on proactive security, the costs to a company could be even more disastrous,” Lee says. Certified ethical hackers can command salaries upwards of six figures, he says, though the specific range depends on each company individually.
The demand for CISOs and security specialists like white-hat hackers is somewhat anecdotal, but overall the IT community is becoming increasingly nervous about security issues and there is an uptick in interest in security and ethical-hacking related content, says IT security expert and training professional James Conrad, who develops and teaches security and ethical hacking courses for CBT Nuggets.
“One of the things I’ve noticed is the escalating need for security pros at all levels, especially in the last few years,” Conrad says. “When the Web was young, security was a secondary priority, but as unscrupulous people found ways to exploit vulnerabilities, it moved quickly to the top of the list, and it has stayed there,” he says.
However, while the demand for highly skilled security pros hasn’t lessened, the available talent pool has, especially among specialized talent like vulnerability testers, penetration testers and white-hat hackers, he says.
“Most IT security pros are already working between 40 and 60 hours a week maintaining, building, patching systems and otherwise putting out fires,” Conrad says. “They just don’t have the time to do much more, especially in the area of finding new vulnerabilities. Sure, there are teams of security personnel, and in an ideal world they could devote their time to these issues. But in the real world, that stuff is pushed aside in favor of day-to-day routine work,” he says.
Complacency Is Costly in the Security Biz
And that complacency is all a hacker needs to enter and exploit a company’s systems, data and information. That’s especially true when dealing with large organizations with less-secure branch offices or with small businesses that don’t have huge security budgets in the first place, Conrad says.
Unfortunately, many companies don’t understand the value of having hackers working for them, even as security breaches, data loss and state-sponsored cyber attacks dominate the headlines, says CBT Nuggets’ Lee.
“The highly publicized Target and Neiman Marcus security breaches [and] the discovery of the Chinese hackers targeting the U.S. are the kinds of advanced, persistent threats companies face every day, and it can be expensive and time-consuming to proactively fight against them,” Lee says. “But that’s how these threats have to be handled,” he says.
Education is the best weapon, Lee says. Certified ethical hackers can help businesses understand both the nature of the threats and the potential for disaster by discovering potential vulnerabilities and stopping attacks before they begin.
“The goal of most of the honest, white-hat folks is to become a penetration tester, to perform legal hacks on systems to determine vulnerabilities,” says CBT Nuggets’ Conrad. But many times ethical hackers’ hands are tied, so to speak, by the legalities of contracts, privacy statutes and compliance concerns.
A License to Hack
“When an ethical hacker is contracted, oftentimes they must sign a legal contract based on an attorney’s advice that defines the scope of the work they’re doing, what data and systems they can and can’t access, as well as the length of time they can devote to these hacks,” Conrad says. In most cases, ethical hackers are given a few weeks in which to work, and that’s just not enough time.
“It’s such a challenge. Black-hat hackers sometimes take months and even years to create and deploy attacks; it’s not like they are bound by traditional ethics codes,” Conrad says. “The longer you can give a white-hat to work within your systems, the better, but many companies bury their heads in the proverbial sand and don’t want to spend the money on doing so — until it’s too late,” he says.
While some of the most obvious hacks and attacks can be found and exploited within a week, many of the more sophisticated attackers will ignore the “low-hanging fruit” and simply wait out businesses for weeks, months or years in order to gain the data or the access they desire, Conrad says.
While many businesses that employ white-hats will feel they’re adequately protected because they’ve kept up with patches, antivirus, anti-spam and software updates and have hired an ethical hacker to address blatant vulnerabilities, they often find they’ve missed more complicated, less obvious vulnerabilities.
“One of the most important jobs an ethical hacker has is to educate companies on how hackers can leverage their way into the systems,” says Conrad. “They have to prove their own ROI, in a sense, and justify why it’s worth a business paying them the six-figure salaries they can now command,” he says.
Is There Honor Among Hackers?
Of course, this begs the question: How do you know for certain that the ethical hackers you’ve hired are, in fact, ethical? Unfortunately, you can’t ever know for sure, says Conrad, since the entire profession of white-hat and ethical hackers is based on a code of personal integrity and an ‘honor system.’
“When you become a certified ethical hacker, you do have to sign a legal document agreeing that you will use your powers for good, not for evil,” Conrad says. “But that’s no guarantee, and, unfortunately, there’s really no way to be absolutely sure. It’s one of the built-in risks companies have to take in order to address these threats,” he says.
CBT Nuggets currently offers version 7 of its Ethical Hacking course and is in the process of finishing version 8 of the class, which will be released in its final form in June 2014. CBT Nuggets’ Lee says version 8 has already amassed more than 12,000 views, and expects that number to keep growing as security concerns and highly publicized attacks dominate headlines.
“Security as a whole is a huge area right now, especially with news of Target, eBay, Neiman Marcus and others,” Lee says. “It is key to educate and open people’s minds to the dangers and the cyber security threats out there, and that’s what we’re trying to do,” he says.
To become a certified ethical hacker, candidates should have a minimum of helpdesk-level IT skills, some server experience and familiarity with Linux, says Conrad. Obviously, the more experience the better, but resources like those available at CBT Nuggets can help developers quickly get up to speed, he says.
“The market’s wide open for certified ethical hackers, especially as attacks become more sophisticated and vulnerabilities less obvious,” Conrad says. “There’s not a lot of folks out there doing these kinds of hacks — yet. But the damage they can do is monumental and the need for these skills will continue to grow,” he says.